2011-03-29

This is the second part of a series on OpenVAS, the open-source vulnerability scanner. In my last post, I walked you through compiling the various pieces of OpenVAS and getting it up and running. Now it's time to talk about the fundamentals. For this and future posts, we'll be using the web front-end to OpenVAS, called Greenbone Security Assistant, and we'll assume it's running on your local machine.

Why bother with OpenVAS, or vulnerability scanning in general?

Vulnerability scanners are not "hacking tools!" They're very noisy. They're ungainly. They lack finesse. They're riddled with false positives (vulnerabilities you try to manually verify and turn out to be non-existent) and false negatives (vulnerabilities that it doesn't know about or can't be easily detected and are thus missed). With so many weaknesses, why would you even bother?

Simply put, running frequent vulnerability scans on your network gives you a good baseline complete with the ability to notice a change from one week to the next. At the very least, you get a good feel for the "low-hanging fruit" -- the obvious and easy targets on your network. Additionally, many vulnerability scanners including OpenVAS have the ability to use a scanner agent installed on systems, and login credentials to inspect the local security of your servers, workstations and infrastructure. In this way, you can identify software that's out of date and security settings that are out of compliance. This can be a huge asset to your IT security stance once you have the scanner configured properly and running smoothly. That's easier said than done, unfortunately.

If you'll be using this system as a vulnerability scanner regularly, I recommend a few things:

Make sure the openvas services start at boot. I just added this stuff to /etc/rc.local on Ubuntu server:

echo "Starting OpenVAS Scanner Daemon..."

/usr/local/sbin/openvassd && echo [ OK ]

echo "Starting OpenVAS Manager Daemon..."

/usr/local/sbin/openvasmd && echo [ OK ]

echo "Starting OpenVAS Administrator Daemon..."

/usr/local/sbin/openvasad && echo [ OK ]

echo "Starting Greenbone Security Assistant Web Interface..."

/usr/local/sbin/gsad --http-only && echo [ OK ]

echo "Downloading NVT Updates..."

/usr/local/sbin/openvas-nvt-sync && echo [ OK ]

Make sure you have nightly NVT Updates. I put this in root's crontab to run at 4:00AM each day:

0 4 * * * /usr/local/sbin/openvas-nvt-sync

And there you have it.

When you navigate to the web interface (usually http://localhost) and log in, you'll see the task screen, which I had shown you previously. Take note of the options on the left pane, as we'll be going through most of them.

One of the first things you'll want to do if you didn't set up daily updates is to hit the "NVT Feed" link (not shown above) and update the NVT database.

With that out of the way, our first stop is with scan configurations. OpenVAS comes with five template configurations, each of which might do something useful for you.

You don't need to create a custom scan config to get started with OpenVAS, but If you decide to create a new Scan Config, you'll have the ability to edit it (the wrench will not be greyed out)

and you'll be faced with a huge assortment of scanning options allowing you to fine-tune your scan. You'll also see options for so-called NASL Wrappers, which are scripts that help OpenVAS utilize third-party tools such as nmap, nikto, w3af and others. Tuning your scan parameters is important, but complicated enough that it's beyond the scope of this series. Most vulnerability scanners I've used (Nessus, ISS, etc...) have a configuration section like this, and it's always a very, very deep rabbit-hole. Mastering this is a bit of an art, but I usually break the enterprise up into "classes" so that like-systems are scanned with relevant checks so I'm not throwing 5,000 futile Windows checks at the Linux servers in the DMZ, for example. Feel free to leave me a comment if you want me to discuss this kind of classification setup in more detail.

When building custom configs, I recommend using the existing scan configs as a template, and tweaking things from there to get your bearings. Try the "Full and very deep" scan first if you have any doubts. It's unlikely to knock anything off the network, but be careful! The "Trend" radio button selects whether this scan config will grow and import new NVT plugins or remain static with only the plugins you selected for that particular plugin family. If you start using OpenVAS frequently, you'll probably want to become familiar with tuning scan configs to get rid of false positives or enable more features.

Schedules are triggers for one-time or recurring scans. It's not uncommon to schedule a network vulnerability scan to happen after business hours, so this option helps you there. I usually run weekly scans so that I can compare my security stance from one week to the next. Here, I've created a weekly trigger that runs at midnight (central time) every Tuesday. You can create as many schedules as you want, but none of them will actually do anything until you assign the schedule to a task. By the way, OpenVAS uses UTC for its clock. Keep that in mind.

In the introduction, I had mentioned using credentials or agents to run local security checks. OpenVAS is pretty flexible here, so experiment with the credential options. Create credentials in Greenbone Security Assistant, and make sure that they match an account on the target system. I recommend creating a dedicated account with the bare minimum privileges needed to run the local security checks. In a Windows environment, consider using an active directory service account on the domain. Authenticated scans and local checks open up some of the most powerful features of many vulnerability scanners. I may cover the use of Agents later, but for now, they're beyond the "basics" scope of this post.

Escalator is a funny word for this feature, but this robust option gives you the ability to trigger events based on the completion of a scan. Here, I'm just configuring it to send an email to me when a scan has finished running. Note: you will probably have to install the "mailutils" package or some equivalent on Ubuntu for this to work.

We can finally start picking what hosts or networks we want to scan with the "Targets" option. The target hosts can be single IP addresses, IP address ranges (192.168.0.1-192.168.0.23 or 192.168.0.1-23), CIDR networks like the example below, DNS names, or any combination of them separated by commas. I had mentioned setting up "classes" of scans earlier. Here, you may just insert a comma-separated list of similar servers, for example. The comment is optional, and the port range can also be a comma-separated list of individual port numbers or ranges. "default" uses all of the ports found in /usr/local/share/openvas/openvas-services, which contains over 8,000 ports, a far cry from 65,535. YMMV here. If you wish to use credentials, select them now.

The moment you've probably been waiting for. Create a new task. This is where you'll get to put it all together and start scanning! Here, I assigned a weekly scan schedule. This will run on its own, using the schedule I defined earlier.

If you don't define a scan schedule, you'll end up with an item on the task list, but it won't run on its own until you hit the "Play" icon (Green triangle). I added a manual scan to the task list as well. You can see both the scheduled and manual scans waiting to run here:

Clicking the spyglass icon on a task will show you a list of summaries from each time you've run the task. This weekly scan has only run one time, though, so you only see one summary here.

And clicking the spyglass on a scan summary pulls up the detailed results, which you can filter a number of ways. This page goes on and on, containing every item that was noted in the scan. You can also export the results a number of ways.

One thing that I like about OpenVAS is the fact that the web UI allows you to make remarks about the scan findings, assign arbitrary severity levels (including "false positive") and tune things so that future scans can take your professional opinion into account, if you so desire. You can perform these overrides or add notes to a single instance of a vulnerability or make sure that it applies to other hosts in the same scan. This can make OpenVAS extremely versatile.

Anyway, that's the basics of the OpenVAS scanner and Greenbone Security Assistant. Should be enough to get you started playing around in your own lab environments, or perhaps in a small office environment.

If you get serious about using OpenVAS, you may consider going with the Greenbone's Professional NVT Feed, which operates on a similar model to Tenable Security's Nessus ProfessionalFeed. Again, it's hard to compare OpenVAS and Nessus side by side, but they both try to fill the same niche. I've used both (and several other competing products) and I still can't say any one is actually better than another. The Greenbone Security Assistant Web UI seems like one of the best vulnerability scanner interfaces I've seen, though.

2011-03-21

When Tenable took Nessus through a code re-write and closed its source, the old code was forked a few times. As far as I can tell, OpenVAS is the strongest surviving variant. There's a really old version in most Linux distributions' package repositories, but it's out of date, the 2.x version.

I wanted to get the new version up and running. It turns out that compiling it for the first time was a gigantic clustercoitus of library dependencies and unnecessary branches in the OpenVAS subversion repository. So, I did what I usually do when I meet a challenge worth dissecting: I set up a VM, take some snapshots, and document it.

There are four components to OpenVAS: The scanner, administrator and managers, and then a client program. There are three clients to choose from:

Greenbone Security Desktop, which looks a lot like the older Nessus GUI

Greenbone Security Assistant, a clean web UI similar to the new Nessus, except more feature rich

OpenVAS-cli, a tool that's good for lightweight scheduled scanning

There are well over 100 dependencies to get OpenVAS installed, but this big pile knocked them all out on both Ubuntu 10.10 server and desktop versions:

One last thing: If you really want to use the Greenbone Security Desktop GUI, there's a whole lot more you'll need, but they're all dependencies of libq4-dev. I have grown to really like the Web GUI, so you may want to play with that first before you decide to go with GSD.

sudo apt-get install libqt4-dev

If you pull up the SVN repository, you'll see the following branches. You do not need all of them, and some of them are absolutely massive. It's a big waste of bandwidth, drive space and time to check out everything.

We only want openvas-libraries, openvas-scanner, openvas-manager, openvas-administrator, openvas-cli, gsa and gsd. When you first run subversion, you'll have to accept the SSL certificate from OpenVAS.

OpenVAS uses cmake, which is actually pretty slick as long as your dependencies are in order. Simply go into each of the directories above, and run the following commands to compile and install. I'll use openvas-libraries as an example:

cd openvas-libraries

cmake .

make

sudo make install

cd ..

One thing to keep in mind is that several libraries are deployed with the openvas-libraries package, and those are needed for the other packages. Make sure you run ldconfig to update the library cache before compiling the other packages.

sudo ldconfig

Do the same for openvas-scanner, openvas-manager, openvas-administrator, openvas-cli, gsa and (if you want to use the native gui), gsd.

Once everything is installed, you need to do a few quick things to set everything up. First, start the OpenVAS Scanner Daemon:

sudo openvassd

update the plugins. This takes a long time the first time you run it.

sudo openvas-nvt-sync

Create a CA (walk through the prompts):

sudo openvas-mkcert

Create a client certificate for OpenVAS Manager (om):

sudo openvas-mkcert-client -n om -i

Rebuild the OpenVAS Manager database, then start OpenVAS Manager

sudo openvasmd --rebuild

sudo openvasmd

Start OpenVAS Administrator, then create an administrator account for yourself:

Launch a client tool. I noticed that on Ubuntu, libmicrohttpd (a library the web UI uses) had some issues with SSL. I'm generally averse to running over plain HTTP, but if you make sure you run it locally or through a tunnel, you should be fine. I had to start Greenbone Security Assistant in http-only mode:

sudo gsad --http-only

Point your browser at http://localhost/ - It looks like this, if you have everything working properly. Here, I'm in the middle of a test scan.

Alternatively, you can run GSD:

gsd

Which looks a bit like this. You use the tabs to navigate it, export reports and all that.

I had trouble getting either GSD or GSA to export the report in PDF format. There may be a library or CLI tool that I'm missing. The HTML export works like a champ.

Update: Poking through the errors I found in /tmp, I discovered that I needed some files provided by LaTeX. Installing texlive-latex-extra and its dependencies got PDF export working, thus I've included it in the list of packages to install with apt-get at the beginning of this post.

In summary, OpenVAS works, and it's come a long way since the original fork of Nessus. It's difficult (and honestly, pointless) to compare OpenVAS to Nessus in their current states. They're not the same, and they likely have different strengths. I've spent quite a bit of time working with the latest versions of Nessus, so OpenVAS is new territory for me. Now that I have it up and running, I look forward to putting it through the paces.

I'll be talking about OpenVAS more in the coming days (or weeks, if things stay as busy as they have been lately). There are some interesting aspects of OpenVAS' architecture I'm playing with.

HiR Featured Columns

HiR Tools

HiR Categories

About HiR

HiR is what happens when 1990s-era e-Zine writers decide to form a blog. Most of us hail from the Great Plains region of the United States.

Ax0n, HiR founder and editor-in-chief is an information security specialist currently working in the luxury goods industry.

Asmodian X joined HiR in December 1997 and currently works as a web developer and SysAdmin in the education industry.

Frogman has been on board since May 1998 and has many technical passions. When not experimenting with obscure hardware, he can be found leaping from one rooftop to the next, making the world his office.

TMiB has also been helping since 1998. Also our resident Physicist and go-to guy for xkcd jokes we don't get, The Man in Black currently works in the Internet industry in an east-coast data center.